I’ve had my credit card compromised three times; how do I prevent this from happening again?

There are some practices to help you avoid having your credit card compromised; but most card theft is typically out of our control.

//

In the last six months, I’ve had to cancel my credit card three times due to fraudulent activities. I frequently shop online. I have Windows 7; I use a firewall, etc. I use reliable (I thought) sources. I don’t let them save credit card info. I always check for https, etc. I seldom use my credit card at stores and when I do, I watch it carefully. My credit card company suggested either a computer virus or a malware or possibly leaks with online merchants. I have McAfee online. Could they be missing a virus or malware? How can I determine where the leak is and how on earth can I shop safely online? It angers me that I’m held hostage by these hackers every time I’ve had my credit card compromised. Can’t we get smarter than them?

Sometimes it certainly seems like we can’t, doesn’t it?

It also seems that for every barrier we put in place to protect our credit card use, hackers find new ways to run off with our card information.

Let’s look at some of the ways credit cards can be compromised and ways you can protect yourself.

I’ve had my credit card compromised too

It can be very frustrating.

Once I had both my cards compromised, for different reasons, while I was travelling – to Las Vegas, no less. I was afraid I’d have to do dishes to pay for my room, but my credit card company overnighted me a new card in time for check-out.

One of my cards was compromised by what I suspect was a service into whom I had simply placed too much trust. The other? I have no idea.

So let’s look at some of the ways it can happen.

Check for malware

To answer your very first question, could your anti-malware tool be missing something?

What I suggest you do is get yourself another anti-malware tool, perhaps a couple, and periodically run additional complete scans of your system. (What Security Software do you Recommend? has some recommendations.) One specific tool I recommend often is the free version of Malwarebytes Anti-malware, which has a reputation for catching a lot of things that many other tools do not.

Make sure that all of your anti-malware software is up-to-date, running the most recent versions, and running its most recent database. Remember, the version of the software may change every year or six months or so, but the database it uses will change daily, if not multiple times per day.

Always make sure you’re running the latest version of both the software and its malware database.

If you have more than one machine at home, and they are connected to a single router, then by definition you have a local network. Make sure that all the other machines on that network are free of malware.

It’s possible that malware on a machine could be “sniffing”, or watching the traffic on your network. Usually, that’s not the case, but given the number of times that things have gone wrong for you, that’s something else that quickly comes to mind.

When you’re not able to trust another machine on your network, it’s very much like using an open Wi-Fi hotspot. That other machine could be doing all sorts of interesting things that could compromise your security. It’s important that all of the machines connected to your router are secure and free of malware. Make sure you’re up-to-date and running appropriate scans on all of them.

Physical theft

We’re often quick to blame our computers (or the internet) when we experience credit card fraud.

Frequently, the issues are much more low-tech.

For example, have you ever annoyed the wait staff at a restaurant? Well, annoyed or not, when you give them your credit card, it’s out of your eyesight while they process it!1 There definitely have been stories of clerks who take your credit card and clone or otherwise compromise it while it’s in their possession and out of your view.

Every once in a while you’ll hear about bank machines or gas station pumps that have had what’s called a “skimmer” installed in front of the card slot. It looks like a regular card slot, and unless you know what you were looking for2, you wouldn’t know that there was something else reading your card in addition to the pump or the cash machine. The hackers let the skimmers collect card data for a while, and then come back and remove it, walking away with the credit card information for everyone who used the machine while the skimmer was active.

That’s one way card information can be stolen without the card ever having left your hands.

Compromised databases

To be honest, by far most of the card theft that I am aware of, like most of the scenarios that you describe, are things that are typically completely out of our control.

What happens is that large databases of credit card and other information are stolen. It’s not somebody targeting you or me, going after cards one at a time – it’s someone targeting the computers at your bank, or the grocery store where you use the card.

Those are the kinds of things that you and I don’t really have a lot of control over.

Fortunately, in addition to being rare (that’s why it makes the news, after all), most credit card companies cover your losses as long as the loss isn’t due to your personal actions. Unless you’re hacking in and stealing large databases of information, you’re very likely covered.

But it is an inconvenience, no doubt about it. My Las Vegas experience was nerve-wracking enough, but to have cards compromised three times in a row, and that quickly, would be maddening.

I would most definitely look closely into both your local network and computer security, and keep a very close eye on where the card is being used.

If you are compromised a fourth time, I’d want more information to help find the cause.

This is an update to an article originally posted in Answercast #65 on October 29, 2012

Footnotes and references

1: To be clear, this is uncommon – most restaurant servers wouldn’t dream of abusing your credit card no matter how much of a jerk you might be. But I can see it happening. So, don’t be a jerk. It’s an unexpected and yet important part of keeping your information secure. Tipping generously helps as well, I’m sure.2: I wish I could tell you what to look for, but it varies. I just keep an eye out for anything that seems out of the ordinary, particularly for those places I visit frequently.

About Leo

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Comments

Until the original poster is able to figure out how his/her credit card number is being stolen, he may want to try using a “virtual credit card” for his online purchases. These virtual credit cards are offered by many banks on their websites, and they are linked to the number on your physical credit card. You create one virtual credit card with a given unique number for each vendor. You set the dollar limits and the expiration dates for each virtual credit card. The vendors see only your virtual credit card numbers — not your “actual” credit card number with the big credit limit. You can shop online more safely when you use this method recommended by many security experts.

In my earlier post, I should have said: Try using a virtual credit card only AFTER you first have taken the steps Leo provided to determine whether your PC’s are clean. Obviously, setting up a virtual credit card online by using a malware-infected PC will not make online shopping any safer.

How timely. My credit card was just cancelled because it’s been compromised. The magnetic stripe on the back of your card is the most common way to steal your card.

In Canada we have “chip + pin” technology. A chip is embedded in the credit card. The credit card is inserted into the credit card machine and you are asked to verify the transaction using a PIN (like your ATM card does).

The chips are hard to counterfeit and so thieves tend to focus on the magnetic stripe because it’s cheap and easy (I’m sure some are working on cracking the chip technology). And even if they do, they will still need your PIN.

Your signature for a credit card transaction is old fashioned. That comes from when you were friends with the furniture salesman and bank manager. You signed your name to say you promised to pay. Now stolen credit card numbers are a hot commodity. Credit cards need to change with the times. Chip + pin make a lot more sense.

We were visiting Pennsylvania recently and I suspect it was a gas station that we visited. Because I couldn’t pay at the pump, I had to go inside and have the guy swipe my card through his machine.
Mastercard suspected two transactions which were both “swiped.”

As a rule, I never shop online, unless the company has a physical presence that I can go and visit.

I took Leo’s advice, and installed the free version of Malwarebytes.
I then tried to do the same with Microsoft Security Essentials – however, it wanted me to uninstall other security systems first ( I’ve got AVG)
When I didn’t do so, Security Essentials got a bit stroppy, and gave so many dire warnings about the disastrous effects on my laptop of running two security systems, that I gave up and discontinued its installation.
Is this true? – it seems to conflict with what Leo had said, and I’ve always found his advice to be really good.

The poster appears to be compromised whilst purchasing online. I know many of your readers might not like what I suggest but – I only shop online where the seller agrees to PayPal. No problems ever and 100% piece of mind. The other post reply regarding MS Essentials I can sympathise with – if it is as clever as Leo says (and I love Leo) why does it not want to share a bed with other respectable Malware companies?

It’s not about wanting or not wanting to. The actual techniques used to scan for malware in real time will by their very nature come into conflict. It’s the nature of the technology.

The only time I used PayPal in the last year was when I was using my Ipad in Venice, Italy at the apartment I was staying at. It had free WiFi. I used it to pay for a hotel in Hawaii. Someone then tried to use my PayPal account to send money to their email address but they were not registered, so it did not go through. i cancelled it and tried too get PayPal to follow up but they were not interested. Is this how PayPal is secure -You must be registered? I changed my password but should i do anything else? Could they do it again?

Here’s a quote from there: “However, as I’ve noted elsewhere, there’s no single anti-virus or anti-spyware program that will catch all viruses or spyware. So there is a case to be made for having more than one. But if you do, you need to be careful because they can, and often do, interfere with each other.”

Virtual Account Numbers! Many credit card providers will let you create a single-use number for internet use only. The first time you use it, it will then be good only for that vendor–and nowhere else. Not helpful for normal point-of-sale use, but a God-send for the internet.

I use PayPal and have for about 12 years and never had a problem. Ever. As more and more places accept PayPal it becomes more convenient. They don’t give your card number to the vendor. They reimburse themselves either from the card you provide them or from a bank account you set-up to provide funds.

I do regularly get phishing emails telling me something has been added to or done with my PayPal account and it wants me to log in to approve or disapprove it or change something. I NEVER click a link I get in an email no matter what it’s for. I ALWAYS open a web browser, enter the site into the address bar and log in the long way.

I have a couple tricks for that such as I use one of the 7 emails my ISP gives me exclusively for banking and financial related activities. That’s all I use it for. I use another for bill pay. Another is for forums and social things. There’s my ‘professional’ address, my shopping email, and my casual correspondence one. When I get a phishing email and it’s not sent to that financial only email address, I know immediately it’s bogus. If I get SPAM I know by the address where it’s likely coming from.

I also use RoboForm for my password manager and it’s very secure and IMHO the best password manager on the market. I use both the RoboForm2Go and the regular RoboForm on my home PC. The portable version, RoboForm2Go is installed on a flash drive. When I use it on another computer it starts up and when I’m done and close it, it cleans all traces of itself leaving nothing behind. Since it automatically fills in user names and passwords, there is no typing those in so a key logger is useless, even the hardware kind that connect between a keyboard and the plug on the computer. I have my flash drive’s contents locked and encrypted and my file with my passwords are also in a locked folder on the drive. RoboForm added an online version called Roboform Everywhere or something like that but it is a yearly subscription.

Remember, when you use a credit card at any establishment where you hand it to somebody and it leaves your sight you are at risk. A friend had his card number stolen on a trip to Vegas. The only place he used it was at his hotel. A local restaurant has a waitress who was copying down numbers when she’d take the cards in her little black bill folder to the back to run them. A local liquor store used to make employees put a piece of paper over a credit card and rub it with a pencil to take an impression that was stapled to the register receipt. After they did the books they threw them in the trash which ended up in a dumpster out back. My card number was stolen that way and I didn’t know until CDW called because my $6,000.00 worth of computers and components ordered against the card was on hold because the expiration date on the card that was used was wrong.

PayPal might give you some security, but don’t let that security lull you into a false sense of security. About a year and a half ago, PayPal charged my credit card and I don’t even have a PayPal account.

As long as there are humans on this earth, they will continue to find ways to rip you off.

I stand by this one thing: I only shop online where the seller has a physical presence. If they are only represented by an email, website, or PO Box, that’s not good enough. I should be able to visit them in person (OK, I might have to take a plane to visit them, but I can visit nonetheless).

Use only one credit card for internet and one for physical transactions. This will indicate the leak source.
A debit card can also be used for internet where only a limited amount of money is deposited.

For super security load a boot disk when doing banking. Ultimate CD {Parted Magic} has Firefox included and all drivers to connect to the internet.
Long term a reformat and reinstall of Windows is the only real safe method to clean a compromised computer. Newer computers have a backup copy of Windows in a hidden partition. Google how to do access partition if unsure.
Jp

Good one Johnpro2 … that’s our method also. And we keep the on-line card’s credit limit very low. Folks shouldn’t get sucked into that good feeling when an institution raises their credit limit, that’s another arena full of stories of financial woes. However, after reading the comments so far, we will reexamine PayPal and look into this one-time-use or virtual number issued by the credit card institution, sounds pretty cool … can tie it to the on-line card for another layer of protection. We never use a credit card in a situation where it will be out of our sight, like restaurants, for the reasons Leo stated. We go to the cashier. One last word: RFID blocking metal wallets that are NFC compliant.

One comment re credit card info to buy things- simple answer is don’t ever divulge that info over the net USE PAYPAL instead- two tier protection- them and your bank, and the seller never knows WHAT YOUR BANK DETAILS ARE – you only have to give bank info to Paypal ONCE. A lot of sellers on anything are using Paypal now and its easy to see those who don’t Paypal logo is not visible. And if a seller doesn’t like using Paypal, my answer is TOO BAD FOR THEM for you have the choice to go somewhere else and don’t be afraid to say so directly! And this is not an ad for Paypal- I have been using it for years and it works. And do give a latte to Ask Leo – you might be unsurprised in the ways you can do that and this is not an ad either. I can transfer money overseas and its there in 24 hours usually-no bank can or will do that and guess who owns the credit card companies? Cheers. Mark

Some credit cards offer a small program that creates a one time use credit card number with all of the other appropriate info. When you shop you open the program and it creates a new number just for that transaction. I use it when paypal is not available.

the person who had their credit card hacked didn`t mention if they kept passwords on their computer. if hackers are in your computer your passwords are theirs. i keep a ring binder with tabbed dividers for my passwords. never on my computer. its a little more of a hassle and if there`s ever a fire my passwords are gone. but i know i can get the important ones back from whatever company i need.

Did you know that apparently, credit and debit cards can be cloned whilst they’re still in your wallet, using portable cloning equipment? I don’t know how often this method is used but I keep all my cards in a RFID Protected wallet just in case 🙂 I also use PayPal whenever it is accepted by online shops. And I NEVER allow restaurant staff to take my card out of my sight. Fortunately, most restaurants now use portable card machines, so they no longer need to take your card to the till:-)

I am using a CitiCard credit card. The company offers a small free program which generates virtual card numbers with associated security codes. Features permit you to define a maximum dollar amount and an expiration date for that specific transaction. The program generates a unique number for each transaction. The charge is then transferred automatically to your real credit card. You have private access to records of each transaction along with cancel capability on transactions
which are still active (not processed).

i have been using this system for years for internet purchases and have been very pleased with the service. It can be used for internet purchases only. It is known as Citi Virtual Account Numbers, again, available from CitiCard.

What I have never understood is why businesses like Home Depot need to save my credit card number in their computer after they have settled the transactions with the bank (usually over night for most large businesses). Businesses that do this are posting an open invitation to be hacked. Sure a refund happens a few seconds quicker, but it really doesn’t take that much time for me to pull out my wallet and insert my card in their machine. A minor inconvenience for a ton of security.

I can think of one case where storing the credit card number might help. Once I went to a shop for a refund and didn’t have the card I used with me at the time. Lost more time than a few seconds on that one, although the time lost was compensated by the security.

I would rather have to accept a gift card because I forgot my credit card so that I could gain confidence that no hacker is going to break in and steal my credit card. If it didn’t happen, I wouldn’t worry. But it happened to Target; it happened to Home Depot; it happened to Home Sense. These are all major retail stores. How can they be so lackadaisical in their security? Or maybe security is not all that it’s cracked up to be. If I can’t trust the major chains to be fool-proof in their security, how can I trust anyone else?

Unfortunately some card companies just don’t seem to care. To explain further. For business reasons I used to visit Brasil, and did this several times over the past years. Every single time at least one of my cards would be compromised. I did get reimbursed. In Brasil the large majority of credit card transactions are wireless, the vendor brings a wireless machine to the buyer. This must be one of the reasons. This got so bad for me that eventually I just took lots of cash and only paid by cash.
However on one trip I only used my Amex and only in one place so I knew with 100% certainty exactly where the card details had been stolen. On finding yet again that the card data had been stolen I thought OK, now I know where. My Amex is UK based and I live in far east so it cost me a bundle to report all this by phone to Amex but they just did not care. They did not even ask for information. And I thought I was helping them against the bad guys. Never again.

It’s available to newsletter subscribers – either subscribe, and you’ll get a copy, or if you’re already a subscriber just reply to an emailed copy of the newsletter asking for a copy and my assistant will get one to you. Thanks!

I have had several accounts compromised, including my Discover card (2x), Chase Mastercard and my PayPal account. Each time the credit card company recognized the activity and contacted me. I was not charged for anything I did not charge myself.

Now, I was always liable for charges I made and charges based on automated billing that I had arranged, which is fair.

One of the times, I believe my card info was captured by a hacked gas station pump credit reader – as I only use that card for gas purchases.

Another time, the company told me they thought it was compromised at a restaurant. A third time, by someone processing my purchase over the phone.

PayPal said that my password was hacked.

The good thing in my experience is that the companies that handle my payments have, so far, always covered the fraudulent charges.

The bad thing is that there are people out there trying to take advantage of others.

In Canada, we don’t swipe our credit cards like in the U.S. Our credit cards have an embedded chip. We insert our cards into the chip reader on the terminal and we enter a PIN. The credit card never leaves our hands. Chip & PIN technology saved my bacon a couple years ago. MasterCard thought there was something odd when I swiped my credit card in Winnipeg to purchase something at approximately the same time I used chip & PIN to buy groceries at home (a difference of over 2100 km — 1300 miles for you American folk).

So Leo’s sage advice for keeping your online accounts safe with proper passwords also apply to credit cards. Select the best PIN that you can and use the same precautions as Leo recommends for account passwords.

Still sloooowwwww. Over a year after Leo’s comment and the two Credit Unions I bank with and my Citi MasterCard have yet to offer me a card with a chip in it. However, Samsung and Google’s Android phone pay systems are working pretty well. That may be a good secure alternative.

Although nobody wants issues with their credit card online, you can mitigate the damage by having a designated card with a preset, low spending limit, say from $100- $500 or whatever you can work with. This is what I do.

Most major credit card providers offer one time use or disposable numbers. You may have to dig around on their site or contact them to find out if they do but they these are life savers if you never want to use your real/permanent card number online.

Ive just had 4 cards with 2 different banks cloned the only common store is home depot. They aren’t used online much just instore. Its happening once a month as soon as i get the new one it gets cloned again, i suspect something is going on at the merchant or the bank itself as i alwya shave the cards on me?? Captialone seems to be the problem? Any ideas. I have to keep updating various bills and they get hacked all over. The rare times they are used online, its from a mac with a secure internet and virus scanner…

I am no expert, but it seems to me that the best way to not get your credit information stolen is to minimize exposure. I too have had my credit card information stolen in 2015. In addition to checking for spy ware, etc. I am just trying to use more cash. It is a little more cumbersome to carry the cash, but it is truly untraceable. Of course there is a chance of have having to cash stolen from me so i don’t carry much of it. When I shop online. I use gift cards like Amazon gift card. I have also notice something interesting. I hope you guys have any answer. After the last time I change my credit card number two websites got the number without me giving it to them. The websites were efax.com and google wallet. My credit card did not know how it happen. They trying to say I did it but I did not remember. Google said the same thing. I have not heard from efax.com, yet.

Dan, the same thing has happened to me. For example, I got an email from a company about an annual charge, one that I’d planned to cancel, saying they couldn’t use the card on file. That card number had been replaced since it was last used. So I did nothing, thinking I was going to cancel anyway. Then suddenly, I got an email a couple of weeks later showing the charge had happened! I had this happen this week when I was expecting a credit from where a company charged me after cancellation. This happened months ago, and I have a new card now. Guess what? The credits came through before I could give the company the new card number. The card company HAS to be the ones allowing the charge, and the question is: Did they give the entire new number out? I had fraud on my account at the end of September, and now it’s happened again. The card company caught it fast (under $3 in charges were authorized), but I don’t know how this happened again, and I wonder if the card company was complicit.

A few years back, I received a call from my identity theft company I used. They called to say a payment got rejected from a cc. Since the company had my computer i.p. address bc I gave them watch it too…..they said the charge came from my computer….yet my wife and I were home the whole time and not on our computer.
Since it was rejected, I never thought about looking into too much. Card was canceled and we moved on.
Is that a malware or Trojan virus that let’s people do that?
We were running xp at the time….never used it much, so we never updated it too much.

It could be multiple things LT. The IP that the company sees is your external IP address, not internal. Any computer or smart phone on your wireless network would produce the same external IP address. Also anyone who may have cracked your wireless security on your router, using your internet for free, would produce your external IP address. A good place to start is to make sure your wireless routers have strong security settings, with all default username and passwords removed. I personally use a password generator for my network password so that it isn’t anything that could ever be guessed. It could easily have been the XP computer though. If malware infected it a hacker could have used your home network as a VPN. They would connect to your computer, then connect to any other site through your computer.

I’m in Australia and we’ve had chip-enabled cards for years, but I’ve still had my card number compromised several times. The bank security people tell me that it is because a scammer can write any number onto a card with a mag-stripe writer and then use it any-where. Once was a restaurant for several thousand dollars. There was a Senate inquiry (last year or 2015?) into USA banks non-use of chip enabled cards and apparently the reason was the cost to the banks of replacing all the retail POS (Point of Sale) machines. So to save the banks money (who also gave the world the GFC) the rest of us have to put up with periodic replacement of our cards and the consequent hassle.

Free Newsletter!

Subscribe to The Ask Leo! Newsletter and get a copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. This ebook will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

Then each week in The Ask Leo! Newsletter you’ll get even more tips, tricks, answers and ideas to help you use your technology more effectively and stay safe doing so.